CLAIMS 

What is claimed as new and desired to be protected by 
Letters Patent of the United States is: 

1 . A method for isolating access by application programs to 
native resources provided by an operating system, the 
method comprising the steps of: 

redirecting to an isolation environment comprising a user 
isolation scope and an application isolation scope a request 
for a native resource made by a process executing on 
behalf of a first user; 

locating an instance of the requested resource in the user 
isolation scope on behalf of a first user; and 
responding to the request for the native resource using the 
instance of the resource located in the user isolation scope. 

2. The method of claim 1 wherein step (b) comprises failing to 
locate an instance of the requested resource in the user 
isolation scope. 

3. The method of claim 2 wherein step (c) comprises 
redirecting the request to the application isolation scope. 



4. The method of claim 3 further comprising the steps of: 
locating an instance of the requested resource in the 
application isolation scope; and 

responding to the request for the native resource using the 
instance of the resource located in the application isolation 
scope. 

5. The method of claim 4 wherein step (e) comprises creating 
an instance of the requested resource in the user isolation 
scope that corresponds to the instance of the requested 
resource located in the application isolation scope and 
responding to the request for the native resource using the 
instance of the resource created in the user isolation scope. 

6. The method of claim 4 wherein step (d) comprises failing to 
locate an instance of the requested native resource in the 
application isolation scope. 

7. The method of claim 6 wherein step (e) comprises 
responding to the request for the native resource using the 
system-scoped native resource. 



8. The method of claim 6 wherein step (e) comprises: 
creating an instance of the requested resource in the user 
isolation scope that corresponds to the instance of the 
requested resource located in the system scope and 
responding to the request for the native resource using the 
instance of the resource created in the user isolation scope. 

9. The method of claim 1 further comprising the step of 
hooking a request for a native resource made by a process 
executing on behalf of a first user. 

1 0. The method of claim 1 further comprising the step of 

intercepting a request for a native resource executing on 
behalf of a first user. 

1 1 . The method of claim 1 further comprising the step of 
intercepting by a file system filter driver a request for a file 
system native resource executing on behalf of a first user. 

12. The method of claim 1 wherein step (a) comprises 
redirecting to an isolation environment comprising a user 
isolation scope and an application isolation scope a request 



for a file made by a process executing on behalf of a first 
user. 

1 3. The method of claim 1 wherein step (a) comprises 

redirecting to an isolation environment comprising a user 
isolation scope and an application isolation scope a request 
for a registry database entry made by a process executing 
on behalf of a first user. 

14. The method of claim 1 further comprising the steps of: 
redirecting to the isolation environment a request for the 
native resource made by a second process executing on 
behalf of a second user; 

locating an instance of the requested resource in a second 
user isolation scope; and 

responding to the request for the native resource using the 
version of the native resource located in the second user 
isolation scope. 

1 5. The method of claim 1 4 wherein the process executes 
concurrently on behalf of a first user and a second user. 



1 6. The method of claim 1 4 wherein step (e) comprises failing 
to locate an instance of the requested resource in the 
second user isolation scope. 

1 7. The method of claim 1 6 wherein step (f) comprises 

redirecting the request to the application isolation scope. 

1 8. The method of claim 1 7 further comprising the steps of: 
locating an instance of the requested resource in the 
application isolation scope; and 

responding to the request for the native resource using the 
version of the native resource located in the application 
isolation scope. 

1 9. The method of claim 1 further comprising the steps of: 
redirecting to the isolation environment a request for a 
native resource made by a second process executing on 
behalf of a first user; 

locating an instance of the requested native resource in the 
user isolation scope; and 

responding to the request for the native resource using the 
version of the resource located in the user isolation scope. 



20. The method of claim 1 9 wherein step (e) comprises failing 
to locate an instance of the requested resource in the user 
isolation scope. 

21 . The method of claim 20 wherein step (f) comprises 
redirecting the request to a second application isolation 
scope. 

22. The method of claim 21 further comprising the steps of: 
locating an instance of the requested resource in the 
second application isolation scope; and 

responding to the request for the native resource using the 
version of the native resource located in the second 
application isolation scope. 

23. An isolation environment for isolating access by application 
programs to native resources provided by an operating 
system, the isolation environment comprising: 

a user isolation scope storing an instance of a native 
resource, the user isolation scope corresponding to a user; 
and 

a redirector intercepting a request for the native resource 



made by a process executing on behalf of the user and 
redirecting the request to the user isolation scope. 

24. The apparatus of claim 23 wherein the isolation 
environment further comprises an application isolation 
scope storing an instance of the native resource. 

25. The apparatus of claim 24 wherein the isolation 
environment further comprises a second application 
isolation scope storing an instance of the native resource. 

26. The apparatus of claim 23 wherein the redirector returns a 
handle to the requesting application that identifies the 
native resource. 

27. The apparatus of claim 23 further comprising a rules 
engine specifying behavior for the redirector when 
redirecting the request. 

28. The apparatus of claim 23 wherein the redirector comprises 
a file system filter driver. 

29. The apparatus of claim 23 wherein the redirector comprises 
a function hooking mechanism. 



30. The apparatus of claim 29 wherein the function hooking 
apparatus intercepts an operation selected from the group 
of file system operations, registry operations, WINDOWS 
services, MSI services, named object operations, window 
operations, file-type association operations and COM server 
operations. 

31 . The apparatus of claim 23 wherein the application isolation 
environment further comprises a second user isolation 
scope storing a second instance of the native resource. 

32. The apparatus of claim 23 wherein the application isolation 
environment further comprises a second user isolation 
scope storing an instance of the native resource, the second 
user isolation scope corresponding to a second user. 



